29 May 2015

Virtual Address Space

Paged system



Pay Attention at 'Page Table'. This is how the translation from virtual address to physical address.



ref:
1) http://wiki.osdev.org/Paging

26 May 2015

volatility tips

to omit profile and memory_dump location

1)
$ export VOLATILITY_PROFILE=Win7SP1x64
$ export VOLATILITY_LOCATION=file:///path/to/MEMORY.DMP

$ python vol.py imageinfo



Connections/conscan/sockets/sockscan are for Windows XP/2003 only.
netscan plugin for anything Vista/2008/Win7





ref : 
1) http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=15&cad=rja&uact=8&ved=0CFUQFjAO&url=http%3A%2F%2Fkromer.pl%2Fmalware-analysis%2Fmemory-forensics-using-volatility-toolkit-to-extract-malware-samples-from-memory-dump%2F&ei=rEFkVa6xJsytuQSn0IHIBg&usg=AFQjCNEeYqBZ6ya72XwBSQ5NAoe7oGuELw&bvm=bv.93990622,d.c2E




22 May 2015

ARP Broadcast: how ipscan gather all ip n mac address

ARP Broadcast


ARP Broadcast


To send packet to an IP,

  • Get MAC address of the destination
    • Through ARP Broadcast
  • MAC and IP sender is included in the arp broadcast packet.


IPScan will receive all arp broadcast in the segment, and keep the list.
If there are any unregistered MAC address, it will spoof the IP own by the MAC Address.

19 May 2015

psexec

Examples:

Launch an interactive command prompt on \\workstation64, the CMD prompt window will appear locally:
psexec \\workstation64 cmd
Execute a program that is already installed on the remote system:
psexec \\workstation64 "c:\Program Files\test.exe"
Connect to workstation64 and run IPCONFIG to display the remote PC's IP address:
psexec \\workstation64 ipconfig
Connect to workstation64 and list a directory:
psexec \\workstation64 -s cmd /c dir c:\work
Connect to workstation64 and copy a file from another server:
psexec \\workstation64 -s cmd /c copy \\server21\share45\file.ext c:\localpath
Execute IpConfig on the remote system, and display the output locally:
psexec \\workstation64 ipconfig /all
Copy the program test.exe to the remote system and execute it interactively, running under the account DannyGlover:
psexec \\workstation64 -c test.exe -u DannyGlover -p Pa55w0rd
Run Internet Explorer on the local machine but with limited-user privileges:
psexec -l -d "c:\program files\internet explorer\iexplore.exe"
Run Regedit on the local machine with SYSTEM privileges:
psexec -s -i regedit.exe
From PowerShell, run a VBscript on a remote workstation and pass some parameters:
PS C:> $script='C:\Program Files\demo.vbs'
PS C:> $args = "some more text"
PS C:> psexec -s \\workstation64 c:\windows\system32\cscript.exe $script $args


ref -> http://ss64.com/nt/psexec.html

21 April 2015

flask login form csrf

hidden_tag() to generate csrf_token in flask form:


    user_manager = current_app.user_manager
    login_form = user_manager.login_form(request.form)
    token = login_form.hidden_tag()

18 April 2015

div idiv

div:
   div ebx     ;     eax = edx:eax  /  ebx  .   remainder will be put in edx


example:
   mov edx, 0
   mov eax, 0xd
   mov ebx, 5
   div ebx
   ;; result:   eax=2,  edx=3

#somehow my immunity debugger not accept 'div 0x75' instruction

idiv:
   signed version of div

inline hook




a) distance to jump, will be use at (d)
b) copy original instruction at original function to new area in memory.
c) put 'jmp' at original function
d) put (a) at (original_function +1). as parameter to jmp in (c)